HP Insight Control Server Provisioning 7.
© Copyright 2012, 2013 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents 1 Introduction/overview.................................................................................5 1.1 Components of Insight Control server provisioning....................................................................6 1.2 Adding servers...................................................................................................................6 1.2.1 Adding a server via its iLO............................................................................................7 1.2.
.11.1 Passwords................................................................................................................28 4.11.2 SSL/certificate..........................................................................................................28 4.12 Appliance hardening.......................................................................................................29 4.12.1 Port list........................................................................................................
1 Introduction/overview What is Insight Control server provisioning? Insight Control server provisioning is a virtual appliance used to install and configure HP ProLiant servers. Insight Control server provisioning uses resources such as OS Build Plans and scripts to run deployment jobs.
1.1 Components of Insight Control server provisioning The following diagram illustrates how the IC server provisioning virtual appliance networking, Media Server, target servers, and an optional HP Matrix Operating Environment work together.
1.2.1 Adding a server via its iLO You can add a bare metal HP ProLiant server to Insight Control server provisioning by providing the server’s embedded iLO management processor’s access information. This is done by entering the iLO’s IP address, user name, and password on the appliance’s Add server screen. The appliance then contacts the iLO, verifies the connection, and adds the server to your Servers list.
• You want to see the server listed by its default DNS name. Reasons to not boot to maintenance mode when using iLO • You want to run a Build Plan immediately and do not want to wait for the server to boot. • You want to leave the server powered off until you are ready to install it. • All your servers are of the same type so you do not need the full properties information. Reasons to PXE boot • You do not have iLO credentials for your target servers. • You prefer PXE for all your needs.
Figure 2 Insight Control server provisioning target server life cycle Target Server Life Cycle Start Target server is running default service OS and is waiting for a Build Plan to be run. Indicates a target server state Run Build Plan User action Did Build Plan install an OS? No Yes Target server is running production OS and is in managed mode.
2 Configuring appliance settings 2.1 Network configuration 2.1.1 Deciding whether to use a DHCP server internal or external to the appliance HP Insight Control server provisioning requires a DHCP server to provide IP addresses to target servers during the provisioning process. Insight Control server provisioning has a DHCP server internal to the appliance you may use, or you can set up your own DHCP server external to the appliance. This section is meant to help you decide which is better for your facility.
NOTE: The appliance TFTP server required to allow target servers to PXE boot from the appliance will always run regardless of whether the DHCP server you use is internal or external to the appliance. 2.1.2 Setting up a DHCP server external to the appliance The Insight Control server provisioning appliance can support either using the DHCP server internal to the appliance, or using an external DHCP server set up at your facility.
Procedure 2 To set up an external Linux DHCP server If you are using a standard ISC Linux DHCP server, set the following options in order to PXE boot servers from the appliance. 1. Be sure to set the lease time to at least one day. Here is an example: default-lease-time 86400; max-lease-time 129600; 2. The following lines must be included in global options declarations: option buildmgr_ip code 186 = ip-address; option buildmgr_port code 187 = unsigned integer 16; 3.
3 Backing up and restoring your appliance 3.1 Overview Insight Control server provisioning provides services to back up and restore an appliance. If an appliance is lost or corrupted, it might be necessary to restore the appliance from a backup. A backup contains configuration settings and management data and is stored in a file of proprietary format. REST APIs and sample scripts are provided to perform backup and restore operations.
Only users with roles of Infrastructure or Backup Administrator have permission to create a backup. Only an Infrastructure Administrator may restore a backup. 3.2.2 Backup REST API overview The backup REST API provides REST calls to: • request a backup • check the backup status • download the completed backup • cancel a backup These calls are summarized in the table below.
3.2.3 Sample backup script An example PowerShell script is provided for creating and downloading a backup. The sample script is available on the Insight Control server provisioning media and in the product download zip file.This script uses PowerShell version 3.0. It makes REST calls to create and download a backup. The sample script can be scheduled to run automatically on a regular basis. 3.2.3.
3. 4. 5. 6. Calls backup-appliance() to issue a REST request to start a backup. Calls waitFor-completion() to issue REST requests to poll for backup status until the backup completes. Calls get-backupResource() to issue a REST request to get the download URI. Calls download-backup() to issue a REST request to download the backup. The following table provides an overview of the functions in the sample script. Function Description Parameters queryfor-credentials Gathers information from N.A.
3.2.3.4 Troubleshooting tips The following table contains REST API error codes and resolutions. HTTP error Response Body Error Code Description Resolution 401 Unauthorized AUTHORIZATION An incorrect user name or password was specified. Specify the correct user name and password. 404 Not Found RESOURCE_NOT_FOUND The incorrect URI was specified. Specify the correct URI. You may need to wait for the appliance software to start.
After a restore completes, the appliance administrator must manually resolve any remaining inconsistencies, which are identified with alerts. CAUTION: Restoring a backup replaces all management data and most configuration settings on the appliance. The appliance is not operational during a restore. It can take several hours to perform a restore. A restore cannot be cancelled or undone once it has started.
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. Complete the steps in “Preparing for a restore” (page 18) before beginning. Issue the REST request to log in to the appliance as a user with a Infrastructure Administrator role. Issue the REST request to upload the backup file to the appliance. Specify the session ID returned by the login request in the auth header. Check the response to the upload request to make sure the upload succeeded.
appliance as a user with the role of Infrastructure Administrator. The REST API calls to get restore status information do not require a session ID. REST call Request headers Request body Response headers Response body Description POST auth: session ID, Multipart form data N.A.
To get status about a restore under way, run the script with the -status parameter and the appliance host name in the form https://{hostname}. 3.3.5.2 Example output Example output from running the script to upload and restore a backup: PS C:\Users\Joe> C:\Users\Joe\Documents\restore.ps1 Restoring from backup is a destructive process, continue anyway? y Enter directory backup is located in (ie: C:\users\joe\) C:\users\Joe\Documents Enter name of backup (ie: appliance_vm1_backup_2012-07-07_555555.
The following table provides an overview of the functions in the sample script. Function Description Parameters query-user Obtains information from N.A. user needed to interact with appliance. login-appliance Sends the user name and password to the appliance, and obtains an authorized session ID. Output loginVals: a hash table that contains the information obtained from user.
3.3.5.4 Troubleshooting Tips The following table contains REST API error codes and resolutions. HTTP error Response body error code Description Resolution 400 Bad Request INVALID_PARAMETER An invalid backup ID Specify a valid backup ID. It must was specified. be in the form _backup_ YYYY-MM-dd_HHmmss 401 Unauthorized AUTHORIZATION An incorrect user name or password was specified. Specify the correct user name and password.
4 Security considerations Insight Control server provisioning is delivered as a security-hardened virtual appliance. The number of open ports and the protocols supported on them have been limited to the minimum necessary for the operation of Insight Control server provisioning. 4.1 Assumptions The appliance should be on a deployment network, separate from the production network (see “Security best practices” (page 31) for more information).
4.5.1 User accounts and roles User login accounts on the Insight Control server provisioning appliance must be assigned a role. The role determines what the user account has permission to view and do. For instance, a Server Administrator cannot edit an OS Build Plan.
• Object Type, • Object Descriptor, • Message Sample audit entries showing a user login and logout: 2012-11-16 14:55:20.706 CST,Authentication,,,administrator,jrWI9ych,,, SUCCESS,LOGIN,INFO,CREDENTIAL,,Authentication SUCCESS 2012-11-16 14:58:15.
The default certificate generated by the appliance is self-signed, meaning it is generated entirely by itself. By default, browsers do not trust self-signed certificates as they have no prior knowledge of them. The browser will display a warning to allow the user to verify the content of the self-signed certificate before accepting it. A Certificate Authority (CA) can be used to simplify certificate trust management, where the trusted CA is used to issue certificates.
Certificates, then Import. When prompted for the certificate store, choose the Place…option and select the Trusted Root Certification Authoritiesstore. 4.9.4 Browser best practices • Logout before closing the browser. In the browser, a cookie is used to store the authenticated user’s session ID. A memory-based cookie is used so it is deleted upon closing the browser; however this does not affect the session on the appliance. Logging out ensures the session on the appliance is invalidated.
to succeed. The certificate can be obtained from a browser pointed at the appliance. See “Download” (page 27) for information on downloading the certificate. 4.12 Appliance hardening 4.12.1 Port list The following table lists the ports that must be open for Insight Control server provisioning.
2. 3. Enter the usernamepwreset. The appliance will present a challenge key. For example: login: pwreset Challenge = xyaay42a3a Password: 4. 5. Call HP Support to obtain the one-time password that will reset the administrator password for the Insight Control server provisioning appliance. The challenge will need to be read to the support representative. The HP Support representative will use the challenge code to generate the one-time password.
The following SSL cipher suites are enabled on the Insight Control server provisioning appliance web server. These cipher suites are for the connection between the browser and the IC server provisioning appliance.
modifications and additions. Following are numerous security practices recommended by HP in a virtualized environment. This is only a partial list as differing security policies and implementation practices make it difficult to provide a complete and definitive list. However, this list will serve as a good starting point. • Use a separate deployment network.
• For local accounts on the appliance, periodically change the passwords in accordance with your password policies and consider the following guidelines: ◦ Default passwords should be changed immediately to a more relevant and secure password. ◦ Administrators should change management device passwords with the same frequency and according to the same guidelines as the server administrative passwords.
5 Advanced topics 5.1 REST APIs to enable HP Support access or add a server via iLO REST (Representational State Transfer) calls to enable/disable HP Support services access or to add a server via iLO require three REST calls. The first call sets up a user session and generates an authentication token and the second REST call enables/disables services access or adds a server via iLO. Finally, the user session needs to be ended with a REST call for logging out.
Content-Type: application/json Via: 1.1 cic.dns.hp cache-control: no-cache Transfer-Encoding: chunked {"sessionID":""} If the request fails, you will be returned an error diagnostics. Common errors are HTTP error 404 not found, if the URL is not correct, or an exception if the user/password is not correct. 5.1.2 REST call to logout of the user session The REST call to logout of the user session requires you to pass the user-authorization-token.
you can also accomplish this programmatically. This alternate approach is valuable if the appliance user interface is unresponsive and you need to enable HP Support access for diagnosing a problem. Programmatically, one needs to make three REST calls to the Insight Control server provisioning appliance. The first call sets up a user session, while the second call enables or disables support access to the appliance.
True If the request fails, you will be returned an error diagnostics. Common errors are HTTP error 404 not found, if the URL is not correct, or an exception if the associated user is not authorized to enable/disable services access. Below is an example Linux shell script using cURL that logs into the appliance, enables or disables support access and logs out.
REST component Description Request Body: {"type":"OSDIlo","username":””,"password": "","port":,"ipAddress":""} Type is the resource name. You supply the , , the port to use in connecting to iLO and the IPv4 Response Body: {"uri":"/rest/os-deployment-jobs/JobID"} will return URI with Job ID.
REST component Description HTTP Headers: accept: application/json content-type: application/json accept-language: en-us (optional) auth: where you supply Request Body: {"type":"OSDIlo","username":””,"password": "","port":,"ipAddress":""} Type is the resource name.
Once the registration process starts, a user will see two iLO related jobs in the left hand side column of the Jobs page. First job — “Registers IloManagerService” will contain the job details of adding a server through iLO. Second job — “Add iLO-managed Server” will contain job details booting a server into default service OS, usually Linux PE.
REST component Description You will use in the subsequent REST call to download the support dump.
virtual appliance. Look for the files with .current extension. There are different agent files depending on the operating system version and architecture type. The SA Agent files are listed below: Operating System SA Agent to download Windows 2008 x64 opsware-agent-NT-6.0-X64.current Windows 2008 R2 x64 opsware-agent-NT-6.1-X64.current Windows 2012 x64 opsware-agent-NT-6.2-X64.current Red Hat EL 5.x opsware-agent-LINUX-5SERVER-X86_64.current Red Hat EL 6.x opsware-agent-LINUX-6SERVER-X86_64.
6 Support and other resources 6.1 Contacting HP 6.1.1 Before you contact HP Be sure to have the following information available before you call contact HP: • Technical support registration number (if applicable) • Insight Control server provisioning version • Applicable error message • Third-party hardware or software • Operating system type and revision level • Support dump (optional): “Creating a support dump” (page 43) 6.1.2 Creating a support dump 6.1.2.
Information about the running appliance, including: • All processes • Memory • Disk space • Network statistics • Routing • Hardware information Log data, including: • All standard Linux operating system logs • All appliance logs • Logs from all jobs run in the past three days • Installation logs • The system audit log Other information: • A status report of all processes • Dates of any certificates used NOTE: The following types of items might be included in the support dump as a r
6.2 Related information 6.2.1 Documents The following documents are available at http://www.hp.com/go/insightcontrol/docs. • HP Insight Control Server Provisioning Online Help (in PDF form) • HP Insight Control Server Provisioning Administrator Guide • The white paper Data Migration from HP Insight Control server deployment to HP Insight Control server provisioning 6.2.2 Websites • Software download website: http://www.hp.
CAUTION A caution calls attention to important information that if not understood or followed will result in data loss, data corruption, or damage to hardware or software. IMPORTANT This alert provides essential information to explain a concept or to complete a task NOTE A note contains additional information to emphasize or supplement important points of the main text. 6.
7 Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hp.com). Include the document title and part number, version number, or the URL when submitting your feedback.
Glossary agent Software on managed servers used to make changes to the servers. Functions supported include software installation and removal, software and hardware configuration, and server status reporting. answer file See configuration file. appliance See virtual appliance. AutoYaST file The specific term to use when referring to a SUSE Linux Enterprise Server (SLES) configuration file. bare metal Describes a server that does not have a production operating system installed.
HP Scripting Toolkit (STK) A server deployment product for unattended server provisioning. HPSUM HP Smart Update Manager, a common tool for firmware and driver updates. iLO See Integrated Lights-Out (iLO). iLO Virtual Media An HP Integrated Lights-Out (iLO) feature that allows you to attach a removable storage device or image file from a client machine to the server, and have that appear to the server as a local device.
OS distribution files The files that make up an operating system before that operating system is installed on a server. These files are provided to consumers via ISO images or physical CD/DVDS from OS companies such as Microsoft, Red Hat, VMware, and Novell. OS personalization The process of giving a running server the characteristics that make it unique, including IP configuration, host name, and domain. A server can be personalized during the initial OS deployment or after the OS is already installed.
Table 5 Server statuses (continued) The server is unreachable. This means HP Insight Control server provisioning is not able to communicate with the server. Server status is unknown to Insight Control server provisioning. See also maintenance mode, provisioned, and unreachable. service OS A special purpose operating system that runs entirely in system memory and is used to perform various maintenance functions on a server, including preparing a system for operating system installation.
Index A add server by PXE booting, 7 add server via iLO REST call, 37 add servers already running OS, 41 add sever via iLO, 7 administrator password reset, 29 appliance downloads from, 31 audit log, 25 authentication, 24 B backup, 13 backup procedures, 13 backup REST API, 14 backup script, 15 browser security, 27 C certificates, 26 console access, 29 restrict, 30 credentials, 28 D DHCP server, 10 external to appliance, 11 documentation providing feedback on, 47 S script backup, 15 restore, 20 security b